Zoom Security (IT) | CSU Northridge (2024)

Zoom is committed to keeping your personal data secure. Zoom uses “industry-standard security technologies, procedures, and organizational controls.”

For more detailed information, visit their website,Zoom's Privacy Policy.

Zoom has discovered a vulnerability with their chat feature. In Zoom's chat feature, users can communicate through messages in a chat room. The vulnerability allowed users in meetings to send links that could possibly be malicious and/or lead to theft of passwords and in severe cases the theft of personal information. When links are sent thorough this chat they are converted to URLs. Users in these meetings can click on these URLs. This poses a threat when a malicious link is sent and users proceed to click on it. Due to the act of this conversion Zoom converted every URL and UNC to a clickable link, the problem with this is that Windows will share the users' username and password, which could then be easily intercepted.

This system can also be used to launch other applications. Usually, when your Windows computer launches a new application it will ask the user for permission; however, in this instance, it does not and opens the application immediately.

Zoom recently released an update that fixed this issue. Once this update is complete the links will not be clickable.

Why Working Remotely is Different

Working at home presents a unique challenge for information security because remote work environments don't usuallyhave the same safeguards as working in the CSUN environment.When CSUN faculty and staff are on the CSUN campus,they are working behind layers of preventive security controls. While not 100% foolproof, it is harder to make a securitymistake while in the CSUN environment. However, when CSUN issued devices leave the perimeter or faculty and staff workremotely, new risks arise and additional protections are essential.

Threats to Working Remotely

• Unsecured Wi-Fi networks:Not everyone has a secure home network with strong firewalls. Public Wi-Fi networks, such as those in coffeeshops, are also unsafe for conducting business. Unsecured public Wi-Finetworks are prime spots for maliciousparties to spy on internet traffic and collect confidential information.
• Using personal devices and networks:Many faculty and staff will be forced to use personal devices and homenetworks for work tasks. These homedevices lack safeguards built in to business networks such as antivirus,firewalls, and backup tools. This increases the risk of malware finding its way onto devices and both personal andwork-related information being breached.
• Scams target remoteworkers:Hackers target remote workers, because of the lowered security measures.

Security Musts When Working Remotely

These are some additional precautions that must be taken by employees when working remotely:

NeverusepublicWi-Fi

Public Wi-Fi introduces significant security risk and must be avoided. Instead of public Wi-Fi use a CSUN or personal hotspot from a dedicated device or your phone. If you are not able to access a hot spot you may also use a VPN to connect to CSUN’s network. Using a cellular network is safe.

Secure your home Wi-Fi

Change your router password. Make sure firmware updates are installed so that security vulnerabilities can be patched. The encryption should be set to WPA2 or WPA3.You can check this by reviewing your manufacture router manual or checking your WIFI network preferences on your device to see what your connected service encryption is set to.Make sure your Wi-Fi has a strongpassphrase/password. Restrict inbound and outbound traffic, use the highest level of encryption available, and switch off WPS.

UseaCSUN maintained device

CSUN techs ensure your workstation, laptops and tablets have anti-malware, encrypted drives, licensed software and the latest patches. Yourpersonal devicesdo not meet CSUN requirements.Your personal devices could introduce a risk to CSUN’s data and your account.If you have a CSUN laptop make sure to use it at home for work. Even for accessing your work emails. If you were not assigned a laptop, your department or college may allow you to take your workstation home. Check with your local tech.

UseCSUNVPNwithMulti-FactorAuthentication(MFA)

CSUN VPN encrypts, tunnels and protects all of your internet traffic, so that it is unreadable to anyone who intercepts it. This keeps it away from the prying eyes of any hackers and your Internet Service Provider (ISP). CSUN VPN protects your data. Use VPN even if you are checking your email, accessing SOLAR or storing a file in Box. If you are a Level 1 user or have opted-in for MFA, you will be prompted byCSUN’s MFAwhen accessing VPN as an additional security measure.The use of public networks with CSUN’s VPN is high discouraged due to the risk of compromising the information.

Level 1 Users
A Level 1 user is any CSUN faculty, staff or student worker who has access toLevel 1 dataother than their own. Level 1 users must use a CSUN maintained device when accessing Level 1 data or a Level 1 system. You may not access Level 1 systems from your personal devices. Use your CSUN maintained device (desktop or laptop) at home to access Level 1 data or systems. As an alternate, some departments and colleges have set up virtual machines that conform to theHigh Risk Workstation Standard. If your department has set up such machines and the machines are only accessible viaCSUN’s Global Protect VPNwithMFA,then you may access the virtual machines via your personal devices. If you need assistance, contact yourlocal tech.

Keep work data on work computers or CSUN approved storage

If you don’t have a CSUN laptop or workstation at home, the next best thing is to access your CSUN workstation remotely. While certain remote access tools have security vulnerabilities, using the CSUN VPN with MFA will mitigate those issues. Make sure you are usingMicrosoft Remote Desk Protocol(RDP)software on both Windows and Mac machines. Make sure your patches forRDPare up to date. CSUN also has several virtual workstation options available. Contact your tech or IT to see if this option is available to you. Don’t store CSUN files on your home computer. Use your work computer or Box to store your CSUN files.

Do not share your device

If you are working from home and are forced to use your personal device, make sure you are the only one using your device (computer, tablet,etc.). CSUN data cannot be shared with family members. Allowing others to use a device that is being used to access CSUN data violates CSUN policy by potentially sharing it with persons that have no right to see CSUN data. This includes your spouse.

Patch all your software

Updates to device software and other applications cansometimes take a long time. But they really are important. Updates often include patches for security vulnerabilities that have been uncovered since the last iteration of the software was released.Patch yourpersonal devices.

Set up the firewall on your computer

Firewalls act as a line defense to prevent threats entering your system. The firewallcreatesa barrier between your device and the internet by closing ports to communication. This can help prevent malicious programs entering and can stop data leaking from your device. Your device’s operating system will typically have a built-in firewall. Turn it on.

Use antivirus software

Although a firewall can help, it’s inevitable that threats get through. A good antivirus software can act as the next line of defense by detecting and blocking known viruses or malware. Even if viruses or malware does manage to find its way onto your device, an antivirus may be able to detect and, in some cases, remove it. Turn on anti-virus and keep it up to date.

Make sure you are using properly licensed software

Most software that CSUN licenses can only be used on CSUN devices. Exceptions are software on the Software Download page and software such as Microsoft Office that explicitly states it can be downloaded on multiplehome devices. Please make sure when working from home and using your own machine that you do not violate any license agreements. If you have any questions please contact.

Never leave your devices in the car

Never leave their work computers or devices in a vehicle. It’s a best practice to keep work laptops and devices on your person at all times.The trunk of your car is not any safer. There may be criminals watching the parking lot from afar, waiting for their next victim. Putting valuables in the trunk may make life a little bit easier in the short-term - but why take that chance?

Taking home paper files?

Keep all confidential paper files locked up and inaccessible to other persons in the household except when using. Use a cross cut shredder if disposing of any paper files. Make sure you can account for any and all confidential files that are removed from the office by having a checkout system.

Look out for phishing emails and sites

Phishing emails,as well as voicemails (vishing) and text messages (smishing) are used by cybercriminals to “phish” for information. This information is usually used in further schemes such as spear phishing campaigns (targeted phishing attacks) and account takeover fraud.The recent outbreak of theCoronavirushas allowed cybercriminals to use it as a tactic in their mission to cash in or pursue personal information.These cybercriminals have been known to send out emails, make phone calls and publish websites with falseinformation.To spot a phishing email, check the sender’s email address for spelling errors and look for poor grammar in the subject line and email body. Hover over links to see the URL and don’t click links or attachments unless you trust the sender 100 percent. If in any doubt, send the email toand we will check it out. If you do click a link and end up on a legitimate-looking site, be sure to check its credibility before entering any information. Common signs of a phishing site include lack of an HTTPS padlock symbol (although phishing sites increasingly have SSL certificates), misspelled domain names, poor spelling and grammar, lack of an “about” page, and missing contact information.

For More Information or If you Suspect a Breach

If you have any questions or suspect you may have been breached,please contact Information Security atiso@csun.eduor x6100

Additional Resources

For more information on tips for working at home please visit theNINJIOsite for informational videos.